אבטחה q Human error still counts for the majority of security incidents – 79. 3%. § § 53% of organizations do not have written IT security policies. 50% have no plans to implement security awareness training. 63% have no plans to hire IT security personnel in the next year. 27% of firms polled require IT security training and only 12% require any form of certification. May 17, 2005 – Third annual Comp. TIA study http: //www. comptia. org/about/pressroom/get_pr. aspx? prid=611 5

“It is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change” “Sometimes it's the smallest decisions that can change your life forever” Bruce Barton 16. 10. 2007 www. it SMF. co. il Charles Darwin

“Great things are not done by impulse but by a series of small things brought together“ 16. 10. 2007 www. it SMF. co. il Vincent Van Gogh

Change Management by ITIL q ITIL Change Management - הגדרת המשימה § To ensure that standardized methods and procedures are used for efficient and prompt handling of all requests for changes in order to minimize the impact of change-related incidents on service quality and to improve the day to day operations of the organization and the service levels. § To make an appropriate response to a Change request entails a considered approach to assessment of risk and business continuity, Change impact, resource requirements and Change approval. This considered approach is essential to maintain a proper balance between the need for Change against the impact of the Change. § It is particularly important that Change Management processes have high visibility and open channels of communication in order to promote smooth transitions when Changes take place. § Apply ongoing continuous improvement techniques to the Change Management process 15

– Change Management לא זז מטר בלי החבר'ה שלו Release • הקשר ההדוק בין תהליך ניהול השינויים לתהליכי Assets & Config Management וכן Management q Change Management Is the set of standardized processes and tools used to handle change requests in order to support the business while managing risks. (Risk Management) q The three process areas must work together and share information. Release Management Uses formal controls and processes to safeguard the production environment. Coordinates the rollout of changes. (Quality Control) q Asset & Configuration Management Focuses on tracking and documenting configurations and then providing this information to other areas including Change and Release Management. Configuration tracks relationships to understand who is affected and assess impact. 24

CAB- מי צריך להיות חבר ב q Change Manager (ITIL role) Problem Manager (ITIL role) Service Level Manager (ITIL role) Affected customers and users Development staff Consultants / Vendors / Outsourcers Services Staff Service Desk IT Security IT Audit q Note: q q q q q § The CAB will be composed based on the changes to be considered » Attendees can vary, even during a given meeting § The CAB is a decision making body, not a forum for communications. » Ask “Does the potential attendee add a needed perspective? ” » Use the Forward Schedule of Change (FSC) to communicate 28

(Emergency Change) שינוי חירום The EC Process q q q q q Emergency changes still follow a process Change manager convenes the CAB or CAB/EC They then quickly review resources, impact and urgency to make a go/no-go decision. The change manager can authorize without the CAB or CAB/EC Emergency changes have higher risk as they follow an abbreviated process Follow a defined escalation list Follow a defined check list Test in greater detail afterwards Review in the next CAB meeting 29

צמצום עלויות וזמני תיקון בעיות שירות MTTR- היחס בין ניהול שינויים ל q MTTR is the average time it takes to recover a service to a level acceptable in the service level agreement. q If we don’t know what changed, the first part of dealing with an incident is trying to figure that out!!!! q Groups with poor change management spend an inordinate amount (as high as 80% of time) of the MTTR simply trying to figure out what changed. q Blame Storming meetings of all experts (expert cost a lot of $) q Phone calls, emails, running down the hall, etc. q MTTR is impacted negatively by poor change management. 33

צמצום תקלות הנובעות משינויים היחס בין ניהול שינויים לשיפור איכות השירות "Inspection with the aim of finding the bad ones and throwing them out is too late, ineffective, costly. Quality comes not from inspection but from improvement of the process" W. Edwards Deming q Is IT paid to make changes or successful changes? § Change management isn’t about inspection – it’s about having appropriate controls and processes. § Change management is a control gate but it also generates data that can, and must, be used to improve processes. q 80% of the fires IT fights are generated by IT! § Even if that number is high, a very large percentage of unplanned work (45% in one client’s case) is caused by failed changes. 34

צמצום עלויות תפעול היחס בין ניהול שינויים לצמצום עלויות תפעול q q Who here § Has budget limitations? § Has more work than what his/her IT organization can handle? § Who has spare head count sitting idle? If we can reduce unplanned work § Operating expenses are decreased § Headcount is freed up from performing unproductive work § Planned Projects can be addressed instead 35

החילזון מן השפן או האשליה מאחורי - "אחי, עזוב אותך מבירוקרטיה ותן לי להתקין את ה " - גומרים הולכים GH . בשרת, 5 דקות Patchq q Getting things done quickly is vastly different than getting the right things done quickly Beware the delusion of speed – you may be moving quickly, but is it in the right direction? Gartner tells us that 70% of business executives believe that technology innovation is critical yet 80% of the actual investment is spent on infrastructure and core operations. 45% of business executives strongly agreed that IT was too focused on day-to-day IT requirements. This tells us that IT is losing attraction due to problems. This is the curse of firefighting – investing too many resources in unplanned work. 36

אל תנסו לבטל את הסיכון רמת הביטחון 100% You can spend a fortune and you will never truly hit a 100% level of assurance. The objective is to lower risk to an acceptable level, not eliminate it because you can’t! $ $ רמת ההשקעה / העלות 41